PC ProSchools – TechTalk

In the area of deployment and installation, there is often reference to the RIS (Remote Installation Server). Traditionally this technology was available on Windows Server 2003 and earlier. In order to install RIS, one method would be to go to a Windows Server and then Start–>Control Panel–>Add/Remove Windows Components. At that point we would begin by checking Remote Installation Services.

Well… that was true until Windows Server 2003 SP2. Microsoft found that the images associated with RIS had a number of limitations such as once they are created, they couldn’t be easily modified. Also, Images created by RIS were not hardware independent among devices such as motherboards. That means that if you have more than one type of PC in your environment, then you had to create more than one Image. This often led to many images for corporations, even though the OS features and software per image was the same, making management of the Images a full time job in and of itself. Businesses often made investments into third party utilities rather than deal with these limitations.

Microsoft completely redesigned its Deployment strategy to avoid some of the above mentioned problems, and to use it as a major selling point in Vista and Server 2008. The new version of RIS is now called Windows Deployment Services. It uses a new type of image called a wim. One of the really neat things is with a wim image, you can add drivers and software to the image as you need them, reducing administrative burden and conserving resources.

So with Server 2003 SP2 and later, there is no more RIS in the add/remove programs. The new technology has replaced RIS and is called Windows Deployment Services.

There are entire volumes written on the new Deployment strategies, and understanding them is a major part of being an IT professional. Begin your journey at TechNet at this link.

http://technet.microsoft.com/en-us/library/bb456438(TechNet.10).aspx

I am an IT instructor, which makes me something like a rock star. IT advice, questions, photographers all major problems for me every time I step outside. I need a way to block unwanted access to me, while still allowing some people to connect.

How can I do this?

IPSec, that’s how!

What is IPSec?

It is security for your network. Secret Service for your data.

IPSec consists basically of rules.

A rule consists of a filter list and a filter action.

I may want my calander kept secret so I might create a filter list and a filter action.

Every time my secretary wants to contact me, encrypt all communication. The filter list would be my secretary; the filter action would be ENCRYPT all communication.

I may want only secure communication with computer A. When computer A tries to contact me, encrypt all network traffic. The filter list would be computer A, the filter action would be ENCRYPT all network traffic.

IPSec is a layer three protocol that works at the network layer of the OSI model. Because IPSec works at the network layer, it has the ability to filter by IP address, protocol used, port used, name or even by subnet!

IPSec can use four diferent filter actions, BLOCK, SIGN, ENCRYPT, or ALLOW.

Now I realize if people could not be in constant contact with me, there would be riots. So I can add a second filter list and a second filter action. If anyone tries to contact me, allow encryption free communication. The filter list would be anyone, the filter action would be ALLOW.

We can add a second filter list and filter action to a rule. Pretend we want all of our traffic with Computer A to be encrypted, but we want to allow unencrypted traffic with everyone else. We could allow all IP traffic. Our filter list would be all traffic, our filter action would be ALLOW.

Let’s recap. All communication with Computer A is encrypted, all other communication is allowed. More important, all communications with my secretary is encrypted, all other communication is allowed. This does leave the evil anonymous network free to contact me so I may need to BLOCK all communications from the anonymous network. My filter list would be the popparatzi subnet and my action would be BLOCK.

I don’t want my computer to be contacted by anyone in the 192.168.1.0 network where critical research is done. I may BLOCK all traffic from the 192.168.1.0 subnet. My filter list would be all traffic from the 192.168.1.0 subnet; my filter action would be BLOCK.

What have we done?

We have a computer that will only trade encrypted communication with computer A, block all traffic from the 192.168.1.0 subnet, and allow all other traffic.

More importantly, what have we done for me? All communication with my secretary is encrypted, all communications from the evil anonymous subnet is blocked, but all other communication is allowed.

All is safe because of IPSec!

Hello and welcome to our new space in the blogsphere!

The purpose of this blog is to give you a view of the world of IT and the concepts needed in that world. Some of the posts will be about topics covered in our classes, others will not, but they will have pertinent information about the IT industry.

The contributing authors are all on our educational team and/or working in our IT department, none of us are professional writers so please excuse any punctuation or grammatical errors. We will do our best to catch any of those mistakes but one or two are sure to slip through the cracks.

We hope you find the information that will be posted informational as well as educational. Our blog will be updated once or twice a week so keep checking back and feel free to leave comments on what you see.

�